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Chapter  I. 


INTRODUCTION 


A  study  of  the  processes  involved  in  the  safety  components 


of  design,  construction,  and  proposed  systems  management  of  the 


new  Walter  Reed  Army  Medical  Center  (WRAMC),  Washington,  D.  C. 


was  conducted  during  the  period  of  August  1977  through  February 


1978.  This  was  accomplished  in  order  to  gain  a  complete  under¬ 


standing  of  the  procedures  and  responsibilities  involved  in  these 


processes  so  that  problem  areas  could  be  identified  and  analyzed. 


Development  of  the  Problem 


Conditions  which  Prompted 


the  Study 


The  design  of  the  new  WRAMC  has  incorporated  multiple 


functional  and  managerial  subsystems,  closely  integrated,  intended 


to  produce  an  efficient  and  effective  medical  treatment  facility. 


Through  the  design  and  construction  phases,  and  in  the  formulation 


of  operational  plans,  safety  has  been  considered,  and  has  become 


an  integral  part  of  each  subsystem.  The  realization  that  the  re¬ 


sultant  safety  of  design  was  only  a  by-product  of  good  engineering 
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practices,  has  been  addressed  as  a  significant  problem  by  the 


Safety  Director  and  Directorate  of  Facilities  Engineer  personnel. 

As  subsystems  become  increasingly  complex,  safety  problems  be¬ 
come  more  acute.  Accelerated  technology  and  demands  for  com¬ 
pressed  development  schedules  results  in  an  evolved  need  to  for¬ 
mally  organize  safety  engineering  and  management  throughout  all 
phases  of  the  system's  life  cycle. 

Statement  of  the  Problem 

-  / 

The  problem  was  to  determine  the  feasibility,  essential 

criteria,  and  the  expected  outcome  of  a  systems  safety  program 

applied  to  a  medical  treatment  facility  as  large  as  the  new  WRAMC. 

Limitations 

At  the  time  the  problem  solving  project  proposal  was  submitted 
the  scheduled  completion,  occupancy,  and  operation  of  the  new  WRAMC 
was  anticipated  to  be  in  the  December  1977  to  January  1978  time- 
frame.  Due  to  numerous  construction  delays,  the  transition  into 
the  new  medical  treatment  facility  is  interrupted  and  delayed  for 
up  to  an  additional  year.  For  this  reason,  the  evaluation  of  the 
efficiency  and  effectiveness  of  systems  functions,  staffing,  and 


proposed  transition  training/ orientation  of  personnel  must,  by- 
necessity,  be  on  a  theoretical  basis. 

The  system  safety  concept  as  defined  and  applied  in  the 
Department  of  Defense  System  Safety  Program  involves  the  estab¬ 
lishment  of  requirements  and  criteria  for  all  phases  of  the  safety 
life  cycle:  concept  formation,  contract  definition,  development, 
production,  and  operational  phases.  *  Due  to  the  advanced  stage 
of  the  development  and  production  phases  of  the  new  WRAMC  medi¬ 
cal  treatment  facility,  this  research  project  was  limited  to  the 
analysis  of  what  safety  engineering  and  management  has  taken 
place  to  this  point  secondary  to  good  engineering  practices,  and 
how  or  if  the  system  safety  concept  can  now  be  designed  and  applied 
to  the  operational  phase  of  the  new  WRAMC. 

Review  of  the  Literature 
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health  care  through  competent  diagnosis,  reliable  therapy,  and 

constant  safeguarding  of  the  patient.  To  do  this,  the  hospital 

must  apply  vigilance  to  the  total  safety  of  the  patient,  visitor,  and 

employee,  or  it  is  working  against  its  very  reason  for  existence. 

Simple  logic  would  suggest  that  hospitals  have  a  special  affinity  for 

practicing  safety.  Evidence,  however,  does  not  bear  out  this  idea. 

The  safety  record  for  health  care  facilities  in  the  recent  past  has 

2 

been  inferior  to  that  of  many  industries.  The  situation  clearly 
indicated  the  urgency  for  a  program  specifically  designed  to  re¬ 
duce  the  danger  of  accidents  from  physical  safety  hazards  or  un¬ 
safe  techniques. 

The  resultant  need  for  safety  consciousness  is  much  greater 
than  purely  the  avoidance  of  a  monetary  loss.  Carelessness  may 
mean  an  irreparable  setback  in  hard-won  public  goodwill  and 
community  relations.  Until  fairly  recent  years,  hospitals  have  en¬ 
joyed  a  peculiar  status  with  respect  to  the  doctrine  of  charitable 
immunity  in  which  churches  and  hospitals  could  not  be  held  responsi¬ 
ble  for  employee  negligence  leading  to  the  injury  of  others.  The 
courts  and  legislatures  of  most  states  have  abolished  this  doctrine 
with  the  legal  opinion  that  hospitals  are  basically  business  corpor¬ 
ations  and  are  subject  to  the  very  restrictions  and  penalties  imposed 
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on  businesses.  Hospitals  are  now  required  to  exercise  reasonable 

care  with  respect  to  the  maintenance  of  buildings  and  grounds,  the 

selection  of  equipment  for  the  purpose  intended,  the  maintenance 

of  this  equipment  to  ensure  proper  operation,  and  the  selection  or 

3 

retention  of  personnel.  These  principles  of  responsibility  were, 
in  part,  established  by  the  landmark  case  of  Darling  vs  Charleston 
Community  Hospital  in  1965. 

Throughout  recent  history,  a  plethora  of  standards,  regu¬ 
lations,  and  codes  affecting  safety  in  health  care  institutions  have 
been  promulgated  in  both  the  public  and  private  sectors.  These  docu¬ 
ments  have  all  identified  what  should  be  done,  but  none  have  pro- 

4 

vided  adequate  guidance  on  how  it  should  be  done.  The  most  com¬ 
prehensive  standards  and  requirements  in  terms  of  a  hospital's 
overall  safety  program  are  outlined  by  the  Joint  Commission  on 
Accreditation  of  Hospitals  (JCAH)  and  the  Occupational  Safety  and 
Health  Administration  (OSHA).  These  nationally  recognized,  con¬ 
sensus  standard- producing  organizations,  for  the  most  part,  refer¬ 
ence  the  Life  Safety  Codes  of  the  National  Fire  Protection  Association 

5  6 

(NFPA)  as  a  primary  basis  of  their  own  requirements.  ’  It  is  a 
recognized  fact  that  major  revision  of  standards  by  such  organi¬ 
zations  as  the  NFPA  will  lead  to  revision  of  the  JCAH  and  OSHA 
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requirements  and  standards. 


Problem  Solving  Methodology 

Research  for  this  project  was  primarily  conducted  by  means 
of  literature  review  of  technical  literature,  applicable  government 
publications,  public  and.  private  sector  regulations  and  standards, 
and  through  the  use  of  semi- structured  interviews  with  personnel 
in  safety,  fire  control,  facilities  engineer,  development  directorate. 
Army  Corps  of  Engineers,  logistics,  security,  and  hospital  staff 
members. 

Data  collection  was  aimed  at  determining  what  was  origin¬ 
ally  designed  and  what  was  the  current  status  of  systems  installed 
to  ensure  safety  within  the  new  medical  treatment  facility.  Further 
analysis  was  directed  toward  determining  the  viability  and  adapt¬ 
ability  of  established  Department  of  Defense  system  safety  concepts 
and  criteria  as  they  relate  to  the  new  facility.  This  analysis  also 
addressed,  in  part,  the  question  of  whether  NFPA  codes,  JCAH 
standards,  and  Army  standards  were  adequate  to  ensure  the  safety 
of  WRAMC  patients,  personnel,  and  facilities. 


VS  S  'i 


Objectives 


The  intermediate  objectives  of  the  problem  solution  were: 


1.  Determination  of  whether  the  new  WRAMC  can  be  classi¬ 


fied  as  a  system  having  characteristics  appropriate  for  a  System 


Safety  Program. 


2.  Examination  and  evaluation  of  present  management 


safety  components  of  the  emergency  power  subsystem,  materiel 


transportation  subsystem,  and  the  fire  protection  subsystem  of  the 


new  WRAMC  to  determine  their  adequacy  in  terms  of  system  safety 


management. 


3.  Examination  and  evaluation  of  present  engineering 


safety  components  of  the  emergency  power  subsystem,  materiel 


transportation  subsystem,  and  the  fire  protection  subsystem  of  the 


new  WRAMC  to  determine  their  adequacy  in  terms  of  system  safety 


engineering. 


4.  Evaluation  of  the  adequacy  of  NFPA,  JCAH,  and  Army 


Safety  Standards  in  meeting  the  new  WRAMC's  needs  in  terms  of 


system  safety. 


5.  Development  of  a  hazard  analysis  matrix  or  survey 


sheet  to  assist  in  the  documentation  of  system  safety  hazards  in 


terms  of  qualitative  and  urgency  measures. 
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6.  Development  of  recommendations,  based  upon  research 


findings,  of  safety  components  to  be  included  in  a  new  WRAMC  System 
Safety  Program. 

Criteria 

The  criteria  was  derived  from  national  and  organizational 
published  safety  standards.  These  include: 

National  Standards.  -  - 

1.  JCAH  standards,  as  published  in  their  1976  Accredi¬ 
tation  Manual  for  Hospitals,  as  revised,  states  that  a  hospital  must 
be  designed,  constructed,  equipped,  and  furnished  in  such  a  way  as 
to  be  in  compliance  with  all  applicable  building  codes,  fire  preven¬ 
tion  codes,  state  and/or  federal  occupational  safety  and  health  codes 
and  standards,  and  the  1973  edition  of  the  Life  Safety  Codes  of  the 
NFPA.  When  an  occasion  arises  where  there  is  a  conflict  in  applic¬ 
able  codes  or  standards,  the  more  restrictive  provisions  shall  pre¬ 
vail.  ^  The  JCAH  also  states  that  the  hospital  shall  have  compre¬ 
hensive  safety  systems  installed,  and  practices,  policies  and  pro¬ 
cedures  instituted  to  minimize  hazards  to  patients,  hospital  staff, 

g 

and  visitors.  The  standard  goes  on  to  interpret  detailed  require¬ 
ments  for  various  safety  subsystems  such  as  electrical  safety,  fire 


warning  and  safety  subsystems,  compressed  gas  systems,  engineer¬ 
ing  and  maintenance  systems,  etc. 

2.  Section  101  (Life  Safety  Codes),  Chapter  10  of  the 
1977  National  Fire  Codes,  published  by  the  NFPA,  provides  detailed 
engineering  requirements  lor  life  safety  from  fire  and  like  emergen¬ 
cies.  This  covers  both  new  construction  and  existing  facilities  of 
health  care  institutions.  In  terms  of  fire  protection  for  hospitals, 
this  code  requires  the  existence  of  an  electrically  supervised. 
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manually  operated  fire  alarm  system  installed  to  transmit  an  alarm 
automatically  to  the  responsible  fire  department.  It  also  states  that 
any  fire  detection  device  or  system  shall  be  electrically  interconnec¬ 
ted  with  the  fire  alarm  system,  and  that  all  detection  and  alarm 

9 

systems  shall  be  provided  with  an  alternative  power  supply. 

3.  The  1972  Safety  Guide  for  Health  Care  Institutions, 
published  by  the  American  Hospital  Association  and  the  National 
Safety  Council,  provides  broad  guidance  on  the  management  and 
engineering  of  safety  components.  The  Guide  emphasizes  the 
adherence  to  all  safety  standards  and  regulations,  recommends  a 
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safety  surveillance  program  concomitant  with  the  hospitals  size 
and  complexity,  and  delineates  the  objectives  to  include  in  both  the 
safety  surveillance  program  and  a  hospital  safety  education  program 
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DISCUSSION 


Walter  Reed  as  a  System 

On  August  26,  1972,  after  more  than  five  years  of  plan¬ 
ning,  groundbreaking  ceremonies  were  held  for  the  new  Walter 
Reed  Army  Medical  Center  (WRAMC).  Today  the  new  1,  280  bed 
hospital  stands  125  feet  tall,  equal  in  height  to  a  ten  story  building. 
The  hospital's  5,  500  rooms  cover  some  1.  2  million  square  feet  of 
floor  space.  The  four  inpatient  floors  each,  in  fact,  contain  more 
beds  than  eighty-seven  percent  of  all  the  hospitals  registered  with 
the  American  Hospital  Association. 

The  new  medical  treatment  facility  is  designed  as  a  modi¬ 
fied  Gordon  Friesen  concept  arrangement,  intended  to  provide  the 
most  up-to-date,  thorough  care  for  the  patient,  as  well  as  an 
efficient,  comfortable  working  environment  for  the  staff.  Archi¬ 
tecturally  designed  to  provide  optimal  patient  care  through  easy 
materiel  distribution  and  efficient  delivery  of  patient  care  services, 
each  of  the  new  WRAMC's  seven  patient  care  floors  are  sandwiched 

12 


these  service  floors  that  the  majority  of  the  utilities,  plumbing, 
electrical  wiring,  air  handling  and  life  support  systems,  communi¬ 


cation  lines,  and  automated  materiel  transportation  systems  are 
housed.  This  will  allow  for  eighty  percent  of  all  repairs  and 
routine  installations  to  be  performed  away  from  the  patient  care 


Concepts  in  ultimate  health  care  delivery  are  being  built 


into  the  new  facility  through  the  use  of  advanced  automated  mechani¬ 
cal  and  communications  systems,  and  through  the  use  of  innovative 
medical  and  administrative  support  concepts.  Automated  systems 
will  include  a  modern  "food  factory"  Food  Service  where  meal  items 
are  mass  produced  from  days  to  months  in  advance,  then  bulk  or 


individually  portioned,  chilled  or  flash  frozen,  and  stored  in  inven¬ 
tory  until  needed.  Computer  programs  will  assist  in  menu  and  in¬ 
gredient  preparation,  inventory  control  of  fresh  and  frozen  food 
supplies,  in  the  actual  preparation  process  by  monitoring  the 
appliances  in  the  production  area,  and  in  preparing  specialized 
diets  for  all  WRAMC  inpatients.  At  a  designated  time,  preportioned 
servings  arc  withdrawn  from  storage,  loaded  into  twenty  automatic 
loaders  and  six  manual  loading  stations,  and  then  automatically 
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loaded  onto  patient  trays  as  the  tray  travels  down  a  conveyor. 


Completed  trays  are  then  loaded  into  automatic  food  carts  which 
keep  the  food  items  refrigerated.  These  are  transported  to  patient 
wards  on  automated  monorails,  plugged  into  refrigerated  units  and 
a  half  an  hour  before  meal  time,  the  cart  will  start  heating  certain 
items  on  the  tray  to  the  proper  temperature  through  the  help  of  an 
internal  computer  program. 

Another  automated  system  is  the  Telelift  system,  an  elec¬ 
tronic  miniature  railcar  running  on  aluminum  track  through  the 
service  floors  and  along  two  major  vertical  tracks.  There  are 
78  sidings  located  in  nursing  care  units,  clinics,  operating  room 
area,  laboratories,  pharmacy,  and  key  administrative  offices. 
Designed  to  replace  the  conventional  pneumatic  tube;  records, 
x-ray  films,  laboratory  specimens,  and  administrative  materials 
will  travel  in  240  motorized  cars  at  an  average  speed  of  one  hun¬ 
dred  feet  per  minute.  Encoding  magnets  are  set  by  the  sender 
and  the  Telelift  cars  course  is  routed  by  electronic  sensors,  direct¬ 
ing  the  car  along  the  shortest  pathway  to  the  desired  destination. 

Computerized  systems  will  play  a  major  role  in  the 
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functioning  of  the  new  WRAMC.  They  will  furnish  complex  communi¬ 
cation  and  information  systems  such  as  the  Hospital  Information 
System  and  the  Interim  Food  Service  System  currently  being  de¬ 
veloped  by  the  DOD  Tri-Service  Medical  Information  System  Group. 
Computerized  systems  will  also  take  care  of  the  sterilization  and 
distribution  of  supplies  and  linens  throughout  the  hospital.  There 
is  also  a  computerized,  integrated  electronic  surveillance  system 
that  will  automatically  monitor  all  internal  transportation  systems, 
the  environmental  control  systems,  the  power  distribution  and 
emergency  power  systems,  gas  distribution  and  emergency  protec¬ 
tion  systems. 

An  innovative  management  system  found  in  the  new  WRAMC 
is  the  "Pri-Team"  nursing  concept.  Each  patient  on  the  ward  is 
assigned  to  a  nursing  team  consisting  of  a  registered  nurse,  a 
licensed  practical  nurse,  and  one  or  two  other  paraprofessional 
personnel.  This  team  is  responsible  for  all  nursing  care  delivered 
to  a  small  group  of  patients  from  the  time  they  are  admitted  through 
discharge.  This  includes  preparation  of  nursing  care  plans  and 
communication  with  staff  members  regarding  the  individual  patient's 


management  systems  which  will  govern  nearly  every  aspect  of  his 
care,  but  much  of  the  treatment  he  receives  will  be  the  outcome  of 
highly  advanced  processes  which  must  occur  in  a  very  coordinated 
manner  behind  the  scenes. 

The  new  Walter  Reed  clearly  fits  into  the  definition  of 
"system"  as  defined  by  the  system  safety  program  concept,  i.  e.  , 
as  defined  in  APPENDIX  A,  and,  indeed,  would  fulfill  the  require¬ 
ments  of  any  systems  definition.  Only  a  small  number  of  the  in¬ 
ternal  "subsystems"  designed  and  planned  for  the  new  WRAMC 
have  been  discussed  in  this  section.  It  is  evident  that  the  new 
medical  treatment  facility  is  an  accumulation  of  highly  complex 
operational  and  support  subsystems  that  must  be  accurately  inte¬ 
grated  to  produce  the  desired  outcome  of  a  total  health  care  system. 

Management  Safety  Components  Evaluation 
There  are  many  possible  faults  in  any  given  system,  in¬ 
cluding  its  safety  components.  If  a  subsystem  does  become  faulty  fo: 


safety  or  any  other  reason,  the  overall  effectiveness  and  efficiency 
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of  good  system  design  and  thorough  analysis,  engineering,  and 
management  of  all  components,  including  safety,  becomes  critical 
in  maintaining  system  and  subsystem  integrity. 

The  Department  of  Defense  System  Safety  Program,  as 
outlined  by  Military  Standard  882,  is  directed  at  the  procurement 


of  the  total  health  care  system  is  compromised.  The  importance 


of  major  military  defensive  and  tactical  systems.  The  principles 
utilized  in  the  standard  are  applicable,  however,  to  the  preparation 
of  safety  requirements  for  contractural  documents  in  the  procure¬ 
ment  of  all  types  of  military  systems.  The  scope  and  magnitude 
of  the  system  safety  program  must  be  tailored  to  the  specific  re¬ 
quirements  and  peculiarities  of  the  system  or  project  involved. 


The  program  places  the  responsibility  of  system  safety  tasks,  i.  e.  , 
identifying,  planning,  organizing,  controlling,  and  analyzing  all 


program  elements,  upon  the  prime  contractor  for  the  system. 

The  original  plan  outlining  these  responsibilities  are  prepared  and 
inserted  into  the  contract  by  the  procuring  activity.  It  is  also  in¬ 
cumbent  upon  the  contractor  to  conduct  system  safety  program  re¬ 
views  to  assess  the  status  of  compliance  with  the  overall  safety 


Jp 


operation  of  the  system  before  the  system  is  accepted  by  the  Corps 
of  Engineers.  Few  exceptions  to  this  procedure  exist.  Two  known 
exceptions  include  the  testing  of  all  elevators  by  General  Services 
Administration  inspectors  and  for  testing  of  the  heating  -  ventilating  - 
air  conditioning  system  by  a  professional,  independent  inspecting 
firm.  ^  The  Baltimore  District  Office  of  the  Corps  of  Engineers 
develops  all  test  plans  that  the  contractor  must  meet.  These  test 
criteria  are  based  upon  the  standards  specified  in  the  original  con¬ 
tract  and  the  test  plans  are  themselves  included  in  these  contracts. 
The  systems  test  is  also  supervised  by  the  Corps  of  Engineers.  It 
became  evident  to  this  researcher  that  many  of  the  personnel  in  the 
Directorate  of  Facilities  Engineer  who  will  ultimately  become  re¬ 
sponsible  for  the  management  of  a  given  system,  do  not  feel  that 
adequate  systems  tests  are  performed  before  that  system  is  accepted 
by  the  Corps  of  Engineers.  A  primary  example  of  this  is  the  inability 
to  identify  all  components  that  are  supplied  by  the  standby  emergency 
power  source.  A  major  component  that  should  be  supplied  by  the 

emergency  power  system,  as  required  by  NFPA  76A,  and  is  not  so 

7 

supplied  is  the  hospital  public  address  system. 


This  should  be 
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readily  available  for  issuing  instructions  to  patients  and  staff  during 
emergency  situations. 

The  original  systems  test  plan  for  the  monorail  transpor¬ 
tation  subsystem  also  contained  inherent  weaknesses  in  its  design. 

The  initial  tests  of  the  system  were  conducted  with  the  monorail 
subcontractors  personnel  present  in  the  interstitial  space.  This 
allowed  the  subcontractor  personnel  to  assist  c arts  that  were  having 
difficulties  along  the  track  and  to  manually  activate  directional  relays 
that  would  not  activate  automatically.  When  this  situation  was  recog¬ 
nized  during  the  analysis  of  the  original  tests,  further  testing  proto¬ 
cols  were  developed  which  prohibited  any  monorail  subcontractor 

g 

personnel  within  the  interstitial  space. 

An  established  management  safety  component  is  the  systems 
training  of  WRAMC  personnel  in  one  of  two  areas:  system  maintenance/ 
operator  training  and  system  user  training.  The  complexity  of  the 
given  system  is  generally  the  determinant  of  the  extent  of  the  training 
furnished.  Training  plans  are  developed  by  the*  Area  Engineer,  based 
on  his  analysis  of  need,  and  staffed  through  the  systems  contractor 
before  being  included  in  the  cont.ract.ural  agreement.  Facilities 
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emergency  lire  warning  and  protection  subsystems.  The  ability  to 
monitor  and  retrieve  this  data  ensures  compliance  with  all  functional 

safety  standards,  for  the  subsystems  mentioned,  as  required  by 

12  . 

JCAH.  These  JCAH  standards  are,  themselves,  a  compilation 

of  the  National  Fire  Protection  Association  (NFPA)  Life  Safety 

Codes. 


Engineering  Safety  Components  Evaluation 
There  are  a  multitude  of  primary  mechanical  systems  de¬ 
signed  and  installed  in  the  new  WRAMC  which  apply  advanced  engi¬ 
neering  techniques  and  which  will  require  technical  competence  for 
safe  operation  and  maintenance.  These  systems  include,  in  part, 
all  transportation  components,  environmental  control,  power  distri¬ 
bution,  gas  distribution,  communication,  computerized  information, 
waste  disposal,  fire  protection,  and  materiel  management  subsystems. 


The  functions 


and  responsibilities  of  ensuring  engineering  safety  is 


somewhat  different  between  the  DOD  System  Safety  Program  and  the 
conventional  methods  utilized  in  designing  and  building  the  new  WRAMC. 
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The  DOD  System  Safety  Program  is  aimed  at  providing  a 
disciplined  approach  to  methodically  control  and  evaluate  the  safety 
level  of  a  system's  design  and  to  identify  hazards  and  prescribe 
corrective  action  in  a  timely,  cost  effective  manner.  This  is 
accomplished  through  the  application  of  scientific  and  engineering 
principles.  The  principles  and  methodologies  of  engineering  safety 
components  are  closely  associated  with  and  overlap  those  of  manage¬ 
ment  safety  components.  The  success  of  the  program  is  directly 

13 

dependent  upon  management  emphasis. 

Safety  engineering  components  are  also  a  responsibility 

of  the  prime  contractor  from  the  concept  formulation  phase  through 

the  development  and  production  phases,  according  to  DOD  System 

14 

Safety  Program  requirements.  This  requires  the  evaluation  of 
safety  engineering  objectives  against  safety  design  criteria  to  pro¬ 
vide  the  early  identification  and  correction  of  safety  hazards  before 
the  production  and  operational  phases.  The  methods  of  ensuring 
safety  engineering  for  the  new  WHAMC  were,  again,  somewhat 
different.  The  basic  design  objectives  were  outlined  by  the  Corps 
of  Engineers  and  given  to  the  potential  primary  contractors  during 
the  concept  development  phase.  The  resultant  safety  of  design  was. 


therefore,  a  by-product  of  good  engineering  practices  with  emphasis 
on  current  safety  standards  and  codes.  The  design  engineer  was 
then  expected  to  incorporate  the  necessary  features  and  operational 
procedures  into  the  system  to  assure  the  overall  safety  of  the  new 


WRAMC. 


Located  on  the  second  floor  of  the  new  WRAMC  is  the  En¬ 
vironmental  Control  Unit,  a  room  designated  to  the  Facilities  Engineer 
for  the  integrated  electronic  surveillance  of  all  mechanical  equip¬ 
ment  in  the  new  WRAMC.  The  Environmental  Control  Unit  (ECU) 
will  serve  as  the  single  most  important  component  of  safety  manage¬ 
ment  procedures  to  be  utilized  in  the  new  medical  treatment  facility. 
The  functions  of  the  ECU  center  around  a  General  Data  Corporation 
NOVA- 1  200  computer.  This  computer  has  the  capacity  of  moni¬ 
toring  3,000  in-put  control  points.  As  designed,  the  computer  will 
initially  monitor  120U  control  points  on  all  seven  floors  and  inter¬ 
stitial  spaces  of  tin;  new  facility.  It  will  receive  m-  put  on  the  oper¬ 
ational  status  of  the  heating  -  ventilating  -  air  conditioning  systems, 
chilled  water  pumps,  pumps  for  and  pressure  of  the  domestic  water 
supply,  medical  gas  systems,  compressed  air  system,  vacuum  sys¬ 
tem,  all  fire  protection  systems,  all  internal  t  vans  p<  >  nn  t  ion  systems 
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including  the  trash  and  linen  collection  systems,  all  emergency 
power  systems,  the  pressure  on  the  incoming  steam  line,  and 
other  miscellaneous  pumps.  The  monitoring  system  will  function 
by  the  computer  continuously  sending  out  signals  to  each  control 
point  and  then  receiving  a  return  signal  from  that  control  point. 

If  the  computer  receives  a  normal  response  from  the  control  point, 
nothing  happens.  If  the  response  is  abnormal,  a  message  acknowledg¬ 
ing  that  fact  and  the  control  point  involved  will  be  displayed  on  a 
cathode  ray  tube  monitor  and  simultaneously  be  printed  out  on 
teletype  printer.  Engineering  personnel  will  monitor  the  cathode 
ray  tube  and  all  other  ECU  functions  on  a  continuous  basis.  When 
a  control  point  does  monitor  a  malfunction,  ECU  personnel  will  dis¬ 
patch  maintenance  personnel  to  inspect  that  control  point  and  make 
any  necessary  repairs. 

The,  ECU  computer  is  also  designed  to  run  .1  printout  of 
the  building's  systems  status  each  bay  -  This  will  assist  in  the  plan¬ 
ning  ot  repairs  and  net  as  a  d.  ta  source  for  establishing  more  energy 
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a  lions.  The  eicinee  ring  personnel  also  wall  ha\  e  toe 


capability  of  'ealli  w  up"  any  s>,  stem  or  control  point  to  double  cheek 
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realization  of  basic  design  deficiencies  has  resulted  in  extensive 
re-evaluation  of  the  emergency  power  components.  Emergency 
power  is  generated  by  eight  diesel  engines,  each  having  a  one 
thousand  kilowatt  capacity,  which  individually  run  a  generator 
having  a  six  hundred  kilowatt  capacity.  The  hospital  is  geo¬ 
graphically  divided  into  quadrants  with  the  emergency  power  for 
two  quadrants  supplied  by  one  bank  of  four  generators  and  the 
other  two  quadrants  by  the  other  bank  of  four  generators.  There 
are  three  life  safety  and  critical  branches  of  the  emergency  power 
system  which  can  adequately  be  supplied  by  one  generator  from 
each  bank  of  four  generators.  Extensive  testing  of  the  emergency 
power  system  was  performed  prior  to  its  acceptance  from  the  con¬ 
tractor.  Each  week  the  Facilities  Engineer  personnel  run  30  minute 

tests  of  each  emergency  generator  under  actual  or  simulated  loads 

15 

as  required  by  the  NFPA.  The  NFPA  codes  also  require  the  auto¬ 
matic  transfer  of  power  to  the  emergency  power  source  within  ten 
seconds  of  the  regular  power  source's  failure.  Test  of  the  new 
WRAMC  emergency  generator  system  have  shown  that  a  bank  of 
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minute.  The  ACCO  monorail  system  is  a  power-free  system; 

part  of  the  time  the  carts  are  driven  forward  by  a  power  chain 

system,  the  rest  of  the  locomotion  is  a  gravity  fed  system  where 

the  monorail  tips  downward  and  the  cart  moves  by  a  combination 

of  inertial  and  gravitational  force.  This  system  is  designed  to 

move  the  cart  in  the  interstitial  spaces  at  a  maximum  speed  of 

forty  feet  per  minute.  The  movement  of  these  carts  between 

floors  is  provided  by  a  cart-lift,  dumbwaiter  type  system  that 

travels  at  350  feet  per  minute.  Basic  design  requirements  for  the 

ACCO  monorail  system  were  the  responsibility  of  the  contractor 

of  the  system.  Design  specifications  for  ensuring  a  safe  design 

and  operation  are  governed  by  the  Occupational  Safety  and  Health 

17 

Administration  (OS HA).  As  required,  a  delay  mechanism  is 
built  into  the  monorail  system.  When  the  start  switch  is  activated 
there  is  a  ten  second  operational  delay  during  which  time  warming 
buzzers  sound  throughout  the  monorail  systems  conveyor  area. 
This  will  allow  any  maintenance  or  contractor  personnel  working 
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along  the  monorail  pathway  to  get  themselves  out  of  the  way  before 
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the  carts  on  the  monorail  start  to  move.  An  additional  safety- 
feature  is  the  presence  of  emergency  stop  buttons  every  forty 
feet  along  the  monorail  pathway  in  the  interstitial  floors  so  that 


if  any  maintenance  personnel  see  something  wrong,  they  can 
immediately  stop  the  system.  A  clutch  system  is  also  included 
on  the  portion  of  the  monorail  system  that  is  powered  so  if  some¬ 
thing  were  to  get  in  the  pathway  of  a  moving  cart,  the  cart  would 
stop  with  a  pre-established  amount  of  pressure  and  the  drive 
clutch  would  slip. 

Facilities  Engineer  personnel  will  have  the  responsibility 
of  maintenance  and  safety  of  the  ACCO  monorail  and  Telelift  systems 
The  ECU  will  play  the  major  role  in  these  functions.  The  monorail 
cart-lift  will  be  considered  a  dumbwaiter  type  system  and  will  fall 

under  the  NFPA  and  American  National  Standards  Institute  codes  for 

1 8 

elevators  and  dumbwaiters.  Inspections  to  date  exhibit  compliance 
with  standards.  The  General  Services  Administration  will  conduct 
periodic  inspections  of  the  ACCO  cart-lift  system  as  they  will  with 
all  other  elevator  and  dumbwaiter  systems  in  the  new  WRAMC. 

The  fire  protection  system  for  the  new  medical  treatment 


facility  is  a  compilation  of  subsystems  which  include  the  standpipe 
subsystem,  automatic  sprinkler  subsystem,  automatic  smoke  detec¬ 
tion  subsystem,  heat  detection  devices,  automatic  carbon  dioxide  and 
halon  extinguishing  subsystems,  fire  extinguishers,  and  compartmen¬ 
talized  fire  zone  construction.  All  of  these  fire  protection/suppressant 

subsystems  currently  meet  NFPA,  JCAH,  and  OSHA  fire  safety  code 

19 

requirements  except  for  one  notable  exception.  The  standpipe  sub¬ 
system  was  designed  as  a  dry  system,  i.  e.  ,  without  water  maintained 
in  the  system  at  all  times.  At  the  time  of  design  completion  and 
awarding  of  the  contract  in  1972,  a  dry  standpipe  system  complied 
with  NFPA  and  JCAH  requirements.  Since  that  time,  JCAH  has 
increased  their  requirements  to  a  wet  (primed)  standpipe  system 
and  have  limited  the  equivalencies  that  they  will  accept.  Walter 
Reed  has  developed  change  orders  for  the  contractor  to  convert 
the  present  dry  standpipe  subsystem  to  a  modified  wet  system. 

The  present  system  consists  of  a  twelve  inch  mainline  around 
the  basement  perimeter  of  the  building.  From  this  line,  there 
tire  six  inch  risers  that  periodically  come  off  and  travel  to  the 
seventh  floor.  Two  and  one  half  inch  lines  exit  the  risers  at  each 


floor  and  interstitial  space  and  travel  to  fire  hose  connections 
throughout  the  hospital.  Fire  department  Siamese  connections 
are  located  externally  at  each,  corner  of  the  building.  It  is  to 
these  locations  that  the  fire  trucks  would  go  in  case  of  fire  and 
pump  water  into  the  standpipe  system  while  firemen  take  hoses  to 
the  appropriate  location  and  connect  with  the  internal  hose  connec¬ 
tions.  As  the  system  now  stands,  it  is  estimated  that  it  would  take 

something  over  one  hour  to  pump  enough  water  into  the  system  to 
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reach  the  seventh  floor.  JCAH  now  requires  that  standpipe  sys¬ 
tems  be  wet,  having  a  separate  constant  water  supply  and  an  in¬ 
ternal  pump  which  will  maintain  a  constant  water  pressure.  The 
modified  wet  standpipe  system,  having  received  JCAH  equivalency 
approval,  will  allow  WRAMC  to  maintain  a  primed  standpipe  system 
which  will  continue  to  require  fire  department  pumpers  to  connect 

to  external  Siamese  connections  to  furnish  a  source  and  pressure 

,  ,  2] 
of  water  supply. 

Other  fire  protection  systems  provide  numerous  sophisticated 
methods  of  detection  and  control.  The  interstitial  spaces  are  each  pro¬ 
tected  by  sixty  to  seventy  heat  detectors  that  are  activated  by  cither  a 
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that  inevitably  stirs  the  general  public,  professional  groups,  and 
governmental  officials  to  take  corrective  action.  This  corrective 
action  takes  the  form  of  legislation  which  in  the  area  of  building 
construction  is  known  as  building  codes  and  standards.  The  mini¬ 
mum  standards  are  established  to  protect  the  health  and  safety  of 
the  general  public  and  generally  represents  a  compromise  between 
optimum  safety  and  economic  feasibility.  The  promulgation  of 
modern  building  codes  which  are  in  use  today  began  with  the  dis¬ 
astrous  fire  incidents  which  this  country  experienced  at  the  turn 

of  the  century.  As  early  as  1905,  the  National  Board  of  Fire 
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Underwriters  published  a  National  Building  Code.  Since  that 
time  numerous  organizations  have  developed  codes  that  estab¬ 
lished  requirements  that  differ  widely  from  one  jurisdiction  to 
another.  Recognizing  problems  involved  with  regional  require¬ 
ments,  national  organizations  have  been  formed  to  promote  uni¬ 
formity  of  building  codes  and  safety  components.  These  are  usually 
adopted  into  building  specification  documents  and  are  a  basis  for 
accreditation  standards  in  hospitals  today.  The  Life  Safety  Codes 
portion  of  the  National  Fire  Codes  are  a  compilation  of  codes. 
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standards,  recommended  practices,  manuals,  guides,  and  model 

laws  prepared  by  technical  committees  organized  under  the  NFPA. 

Numerous  NFPA  standards  are  referenced  by  the  model  building 

codes  and,  thus,  obtain  legal  status  where  these  model  codes  are 
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adopted. 

Throughout  recent  history,  an  enormous  number  of  standards 

regulations,  and  codes  affecting  safety  in  health  care  facilities  have 

been  promulgated.  These  have  emphasized  what  should  be  done  to 

comply,  but  have  failed  to  adequately  direct  how  it  should  be  done. 

Practical  guidance  on  how  to  comply  with  the  intent  of  all  established 

requirements  has  been  noticably  lacking.  This  has  recently  changed 

with  the  publication  of  the  Hospital  Safety  Compliance  Guide  by  David 
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R.  Elv/ing.  This  source  appears  to  this  researcher  to  perform  a 
vital  service  to  health  care  facilities  by  acquainting  hospital  person¬ 
nel  with  the  code  requirements,  their  intent,  and  practical  methods 
of  compliance.  This  could  most  beneficially  be  used  by  hospitals 
conventionally  designed  in  accordance  with  established  standards 


The  usefulness  of  safety  analysis  during  a  projects  con¬ 


ceptual  and  design  phases  is  also  well  established.  A  systematic 
approach  to  safety  can  materially  contribute  to  a  system's  effec¬ 
tiveness  by  increasing  the  system's  availability  due  to  freedom 
from  accidental  loss  or  damage,  its  dependability  due  to  safe  de¬ 
sign,  and  its  capabilities  due  to  safe  performance.  This  is  the 
primary  purpose  of  a  system  safety  program,  established  for 

major  systems  acquisition  by  the  Army  and  adequately  documented 
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in  many  DOD  documents.  ’  When  systems  have  been  developed 
without  adequate  analysis  and  identification  of  potential  hazards,  and 
suggestion  of  corrective  actions  during  the  design  phase  do  not  occur, 
the  result  tends  to  be  costly  retrofit  actions  necessary  before  safe 
implementation  of  that  system  can  be  accomplished. 

It  is  incumbent  on  each  health  care  facility  designer  and 
manager  to  systematically  review  and  implement  all  applicable 
standards,  codes,  and  regulations  so  that  he  can  essentially  eliminate 
all  faults  within  that  system. 


of  communication  for  reporting  suspected  safety  hazards  and  estab¬ 


lished  mechanisms  for  analyzing  systems  for  potential  hazards  are 
essential  to  any  safety  program.  This  researcher  determined  a 
common  perception  that  these  factors  are  lacking  at  WRAMC.  As 
the  WRAMC  personnel  assume  control  of  the  new  facilities  systems, 
this  fact  must  be  corrected. 

Hazard  analysis  is  a  systems  safety  technique  designed  to 
determine  the  adequacy  of  design  concepts  and  operational  procedures 
to  meet  the  essential  safety  characteristics  of  the  system.  Analysis 
at  the  systems  level  is  designed  to  investigate  possible  hazards  that 
may  exist  in  the  interface  between  subsystems,  where  the  effects  of 
malfunctions  or  failures  in  one  subsystem  may  produce  a  hazardous 
effect  in  another  subsystem.  Once  identified,  actions  arc  initiated 
to  either  eliminate  or  control  these  hazards.  Hazard  analysis  at 
the  operational  level  is  performed  to  point  out  the  operating  functions 
which  cbould  be  hazardous  to  personnel,  equipment,  or  both.  The 
results  of  this  form  of  analysis  will  often  lie  safety  precautions, 
procedures,  or  warnings  that  need  to  be  included  in  safety  training 
programs  and  operational  standard  operating  procedures. 
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Much  of  the  work  in  hazard  analysis  is  concerned  with 
hazard  categorization.  An  attempt  is  made  to  identify  potentially 
hazardous  components  or  events  and  classify  them  according  to 
their  criticality,  i.  e.  ,  negligible,  marginal,  critical,  or  cata- 
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strophic.  Given  the  level  of  criticality  of  an  identifiable  hazard, 
safety  should  also  be  viewed  in  terms  of  the  urgency  required  for 
providing  corrective  actions  based  on  the  hazard  category.  The 
information  given  by  safety  hazard  analysis  may  be  compiled  in 
many  formats.  The  format  used  should  be  one  which  will  give  the 
desired  information.  An  example  of  a  hazard  analysis  survey  sheet 
is  illustrated  in  Figure  1.  This  worksheet  will  identify  what  operation 
is  being  performed,  what  is  the  operational  function,  and  what  is 
the  normal  effect  of  that  function.  It  then  allows  for  the  identification 
of  what  hazard  can  result  from  the  operation,  the  hazard  categori¬ 
zation,  its  urgency /priority  rating,  and  comments  relative  to  what 
should  be  done  to  prevent  the  hazard  or  protect  against  the  conse¬ 


quences. 


The  primary  objective  of  performing  a  qualitative  analysis 


systems  is  to  provide  a  technical  assessment  of  the  relative 
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Program,  although  it  was  evident  that  a  systems  safety  analysis 
of  the  new  WRAMC  during  its  concept  formulation  and  design 
phases  could  have  identified  many  safety  hazards,  leading  to  de¬ 
sign  alterations  and  thus  saving  current  retrofit  costs.  The  DOD 
program  also  makes  it  incumbent  on  the  primary  contractor  for 
the  evaluation,  planning,  management,  testing,  and  education  of  all 
safety  aspects  for  a  given  system.  In  the  WRAMC  project,  the 
Corps  of  Engineers  is  responsible  for  specifying  and  directing 
all  safety  requirements  the  contractor  must  fulfill. 

The  need  for  a  systematic  approach  to  safety  is  both  real 
and  demanding.  Although  the  formal  System  Safety  Program  does 
not  apply  to  the  new  WRAMC,  its  philosophies  of  safety  management 
and  engineering  could  be  very  beneficial  to  WRAMC.  The  most  sig¬ 
nificant  deficits  for  the  ensurance  of  safety  within  the  new  WRAMC 
obviously  lie  in  the  management  components  of  system  safety.  In¬ 
sufficient  testing  procedures  of  various  systems  before  turning  over 

to  the  Corps  of  Engineers  was  demonstrated  in  regards  to  the  emer- 
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gency  power.  Telelift,  and  fire  protection  systems.  There  was  also 
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objectives  are  met  and,  consequently,  the  degree  of  safety  achieved 
in  a  given  system  is  directly  dependent  upon  management  emphasis. 

A  formalized  program  of  system  safety  management  needs  to  be  de¬ 
veloped  to  provide  a  technical  assessment,  in  qualitative  terms,  of 
the  relative  safety  of  a  system  design  and  operation. 

Recommendations 

1.  A  formal  System  Safety  Program  should  not  be  utilized 
in  the  new  WRAMC;  instead,  a  program  utilizing  conventional  safety 
management  procedures,  based  on  current  codes  and  standards, 
should  be  established. 

2.  The  WRAMC  Safety  Directorate  should  establish  a  safety 
surveillance  program  to  systematically  inspect  all  major  mechanical/ 
electrical  systems  in  the  new  WRAMC  for  existing  or  potential  design 
or  operational  hazards.  This  analysis  should  be  based  on  current 
safety  standards  and  codes. 

3.  A  functional  hazard  analysis  survey  sheet,  as  previously 
illustrated  in  Figure  1,  should  be  utilized  by  the  Safety  Directorate 


Staff  to  document  and  prioritize  findings. 

4.  A  review  of  pre-delivery  tests  and  contractor  furnished 
training  for  various  mechanical/electrical  systems  should  be  per¬ 
formed  by  Corps  of  Engineers  and  Facilities  Engineers  to  deter¬ 
mine  its  appropriateness  and  thoroughness.  Changes  in  the  testing 
and  training  processes  should  occur  where  deemed  necessary  and 


feasible. 


5.  Where  inadequate  testing  and  training  procedures 


cannot  be  altered  prior  to  system  acceptance  and  operation,  supple¬ 
mental  testing  and  training  should  be  developed  and  implemented  as 
a  hazard  preventative  safety  measure. 

6.  A  report  of  all  periodic  tests  of  major  mechanical/ 
electrical  systems  in  the  new  WRAMC  should  be  submitted  by  the 
Directorate  of  Facilities  Engineers  to  the  Center  Safety  Committee 
for  their  review  and  analysis. 

7.  Maximum  use  of  existing  safety  analysis  materials, 
such  as  the  Hospital  Safety  Compliance  Guide  published  by  InterQual, 


should  be  utilized  to  evaluate  compliance  with  current  safety  standards 
and  codes. 
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8.  Management  emphasis  should  be  placed  on  communications 
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APPENDIX  A 


DEFINITIONS 


Hazard  Category  I  -  -  Negligible:  Conditions  such  that  person¬ 
nel  error,  environment,  design  characteristics,  procedural 
deficiencies,  or  subsystem  or  component  failure  or  mal¬ 
function  will  not  result  in  personnel  injury  or  system  dam¬ 
age. 

Hazard  Category  II  --  Marginal:  Conditions  such  that  person¬ 
nel  error,  environment,  design  characteristics,  procedural 
deficiencies,  or  subsystem  or  component  failure  or  mal¬ 
function  can  be  counteracted  or  controlled  without  injury 
to  personnel  or  major  system  damage. 

Hazard  Category  III  --  Critical:  Conditions  such  that  person¬ 
nel  error,  environment,  design  characteristics,  procedural 
deficiencies,  or  subsystem  or  component  failure  or  mal¬ 
function  will  cause  personnel  injury  or  major  system  damage, 
or  will  require  immediate  corrective  action  for  personnel  or 
system  survival. 

Hazard  Category  IV  -  -  Catastrophic:  Conditions  such  that  person 
nel  error,  environment,  design  characteristics,  procedural  de 
ficiencies,  or  subsystem  or  component  failure  or  malfunction 
will  cause  death  or  severe  injury  to  personnel,  or  system  loss. 

Safety:  Freedom  from  those  conditions  that  can  cause  injury  or 
death  to  personnel,damage  to,  loss  of,or  degradation  of  equip¬ 
ment,  property,  or  system. 

System:  A  composite,  at  any  level  of  complexity,  of  operational 
and  support  equipment,  personnel,  facilities,  and  software 
which  are  used  together  as  an  entity  and  capable  of  perform¬ 
ing  and/or  supporting  an  operational  role. 
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System  Safety:  The  optimum  degree  of  safety,  within  the  con¬ 
straints  of  operational  effectiveness,  time,  and  cost,  attained 
through  specific  application  of  systems  safety  management  and 
engineering  principles  throughout  all  phases  of  a  systems  life 
cycle. 

System  Safety  Engineering:  An  element  of  systems  engineering 
involving  the  application  of  scientific  and  engineering  princi¬ 
ples  for  the  timely  identification  of  hazards  and  initiation  of 
those  actions  necessary  to  prevent  or  control  hazards  within 
the  system. 

System  Safety  Management:  An  element  of  program  management 
which  insures  the  accomplishment  of  the  system  safety  tasks, 
including  identification  of  the  system  safety  requirements;  plan 
ning,  organizing,  and  controlling  those  efforts  which  are  direc¬ 
ted  toward  achieving  the  safety  goals;  coordinating  with  other 
system  program  elements;  and  analyzing,  reviewing,  and  evalu 
ating  the  program  to  insure  effective  and  timely  realization  of 
system  safety  objectives. 


